Right, got Zimbra using my commercial certs. After Step 2 above:
2.1) keytool -keystore keystore -keyclone -alias 1 -dest tomcat
WHen you create the keystore in step 2, the cert alias is "1". copy the cert in the keystore to a new alias of "tomcat" and then:
2.2) keytool -delete -alias 1 -keystore keystore
And now tomcat will use my commercial certs. w00t :D
I also replaced the SMTP certs, but I'm curious where else Zimbra uses SSL that might need to be touched?